Avaya definity

139 posts in this topic

I've recently acquired a definity PBX in a compact modular cabinet. It has been very fun to mess with, but I only know the password to the cust account, which has limited privileges. Namely, I can't add test numbers or set up a LAN card. Has anyone out there found a way to find or reset the password for any of the other accounts?

Edited August 12, 2016 by xhausted110

0

Share this post

Link to post

Share on other sites

Sure! I had to go through this myself, only without the benefit of an account on the translations card to work with. Depending on what software release you have (if you're trying to install a C-LAN card, I assume it's a fairly late release. I don't think it'll work with anything below release 7) you have a few different options here.

1) The easiest is to just boot the system with no translations card installed. Once you've got it running, log into it with the username inads and the password indspw. Go ahead and insert the memory card into the reader. Or just skip all this crap and if you have something that accepts linear flash (ATA flash for the later systems) PCMCIA cards, just stick it in that. Anyway, assuming you're doing the Definity method, type 'upload translation'. Or maybe it's download; I think they made it to be upload from the Definity instead of to the terminal emulator. On one, it'll copy the flash card's contents into RAM and say "Prepare to receive file". Use xmodem to receive the file, and you'll have a copy of the passwords (albeit XORed or something; it's not anything particularly sophisticated. I don't know the algorithm, but I can give you as many plaintexts as you want if you need them. It doesn't seem to be anything standard, but it looks like Base64 at first glance) from the switch.

2) If you have a release 6 or lower processor, you can boot with no translations card again, and overwrite the bytes for the init (superuser; the one that lets you activate any feature you feel like having) password with the ones of a password you know (there's no RAM protection; the rva command should let you do this. I'll attach a ramdump of the pam process to this post). For added shits and giggles, there's even a byte you can change to make a password expire. In some situations, that might be the only way you have to change it. I dunno a lot about the way the header works, but in release 6 and 8, there's a byte that indicates what type of account the username is - or maybe it's an account ID. By default, It's 0x00 for init, 0x01 for inads, 0x02 for craft, and I think the rest are in descending order of account privileges. It might be possible to have two init or inads accounts. However, if the init account is set to prompt for an ASG login (which in release 8/+, it is by default), it'll try and give you a challenge/response for the init account.

If you do have a release 8/+ translations card, one thing I've found you can do is change the account ID for the init account to 0x01 (so it doesn't prompt for an ASG challenge/response), write the password to one you know, and then write it back to 0x00 when you're logged in. Though you'll get slightly higher privileges than the inads account, it seems to know what you're doing, and disables the option to change purchased features. Or activate the switch to begin with >.< .

For release 8/+, I think there's really only one course of action that can be done at the moment; log in as inads (or init with the above method; the only difference is under inads, it'll try to hide this, but it'll still accept it) and type 'go debugger local'. The switch has a lot of nice things in here, including a simple disassembler. If you speak R3000 assembly, you can probably figure out why/how the switch knows you've been screwing around with the accounts. Judging by how it complains about my *cough* modded release 6 card, I assume the init password is derived from something specific to the software version, and newer releases, knowing that, will complain if you've changed it.

If you decide to take this route, lemme know. There's a bit more detail I can go into about the debugger and general Oryx/Pecos operation.

3) You can boot it with no translations card, and upload a fully unlocked release 6 translations backup I made to your card. On newer releases, this'll still work, but you'll be relegated to release 6 features, and it won't let you save; the newer processor releases seem to know something is up, and will claim the card is corrupted. Normally I'd just upload it, but there's some stuff I'd rather not have public on the translations backup I made. Lemme know if you want it.

Share this post

Link to post

Share on other sites

My switch is running release 9. The inads account has a challenge/response password on mine, would that go away if I pulled the translations card? Also, if I do pull the translations card, can I put it back in and reboot with the configuration on it if the inads account still has ASG?

0

Share this post

Link to post

Share on other sites

On release 8, if you boot up with translations it'll want a challenge/response for inads, but that goes away if you boot it with no card. The thing about ASG is I dunno where it's pulling the keys from (maybe there's some default values on the ROM? I know ASG exists for release 6, but it isn't turned on by default. I definitely didn't generate a key for inads). From the stuff I've been able to dig up, it's not particularly strong either; it's an 20-digit octal key plus a 4-8 digit PIN. The response it's expecting is a seven digit number.

Speaking of which, a 20-digit octal key is 112 bits, right? Didn't a lot of older crypto stuff use a key of that particular length? If someone here is familiar with cryptography, would you mind filling us in on why that might be?

Yet another EDIT: The ASG key is 256-bit. 20h byte key -> decimal = 32 bytes * 8 = 256 bits. I'm, uhh, not great at math. In any case, the earlier ASG stuff is based around DES. Sometime in the mid 2000s, they switched to AES.

EDIT: Before anyone asks, it's not 3DES. It came out long before 1998.

Another EDIT: I have the Linux PAM module for Audix if you want it.

There shouldn't be anything stopping you from putting the card back in and booting normally if nothing I talked about worked, though. Might as well write a backup of the card to your computer if nothing else.

Share this post

Link to post

Share on other sites

Ok, so I booted with the card out, logged in to inads, put the card back in, and did an "upload translation" hyper terminal received a 442K file. Now, what do I do with this file?

UPDATE: So I opened the file with notepad, and towards the beginning, there's a list of usernames, in the following format: cust lutr1ce!!!!!!KV!!Y!S I would assume that lutr1ce is the hash, do I just copy that part to another user, or everything after it too?

Another update: I opened it with a hex editor, and this is what it shows: cust...lutr1ce!!!!!!KV!!Y!S

they seem to have different amounts of dots, like: craft..ra6wbot!!1!!a1bc!xj!!!!! Or: dadmin.79S04kR9!7!!79C043K9!7!!

Edited August 14, 2016 by xhausted110

0

Share this post

Link to post

Share on other sites

At this point, you could probably just log in using the craft account; the password is "y0urthe1". I'm surprised; it actually only took a few hours to figure out. Let me explain how it works; it's actually pretty funny. So go ahead and boot your Definity without a translations card, and we can get started. As before, log in with inads, but this time type 'go tcm'. From here, you'll see a new, and from the looks of it, very, very nifty shell once you've gotten you're switch running with no restrictions. If you type klog, you can see a printout like this;

If you're not familiar with Oryx/Pecos, Oryx is the kernel, and Pecos is a series of processes that runs on top of it. But back to the password thing, if you're looking to do a lot of comprehensive work with the password file on the switch, you should do a full dump of the RAM allocated to the pam process. But that's kind of a big pain in the ass. If you're just looking to get the passwords, the switch actually makes it relatively easy. At the TCM shell, type this;

See? It even gave us a little ASCII printout! Wasn't that nice of it? It'll ask you to press enter a few times before giving you the passwords for all users. So once you've got it, you'll probably notice a few things.

For one, there's a lot of exclamations in the password file. Secondly, the dadmin account will probably read something like this;

So why so many exclamation points? The exclamation point is a null character as far as the passwords are concerned. The byte I highlighted in bold is the one responsible for the user ID.

So I'm going to change the password for craft from crftpw to crftpw1 and re-run the TCM shell command. There's a byte you can change in the RAM to make it force you to change your password. It's good in a situation like this where the switch won't let you change your password normally. It's sort of a pain in the ass to find, but let me know if you want me to point it out. Anyway, you'll notice the first two lines just changed to this;

This would be a good time to mention the Definity has two copies of your password, as you've no doubt noticed. But the old one stayed the same in this case, as far as I can tell, to enforce the password policy. Namely so that when your password expires, you can't just change it back to the old one. So what changed? Just one character - the 1 at the end. And sure enough, one of the null characters changed to a 1. Obviously though, it's not just as simple as scrambled characters. So next, let's change the password to aaaaaa1.

Notice the position of the 1 stayed the same. So at this point, it's obvious they're just substituting one letter (or number) for another. I'll save you some time here, and just say since a translates to z, b is x, c is c, d = v, e = b, and f = n. So with that in mind, let's figure out how this stupid byte swapping trick they're doing works.

Can you say insecure? The Definity can! Or as it'd say, ctjbwse12b2! . If you'd care to learn the order of the remaining bytes (that's the maximum length of 11 characters), that's "insecure133".

EDIT: I talked with Chronomex earlier, and she pointed out that the characters map to the keys on a Qwerty keyboard backwards. Somehow Nortel got the idea this substitution cipher/byte swapping thing was a good idea too, so you'll see the something like it on Meridians. There's actually an NES game that did a better job at this.

Share this post

Link to post

Share on other sites

Wow! Thank you very much! This is amazing information. I was able to figure out the dadmin password, although the init and inads accounts still have a challenge response password. I'm amazed at how simple the "encryption" is.

Share this post

Link to post

Share on other sites

Sure! I actually happen to have a working Audix ISO sitting right here. When I get to an uncapped internet connection, I'll upload it for you. I was going to make an article about this at some point, since there's a fair amount of crap you'll have to do with the shell scripts on the system to make it cooperate. But it's more just tedious than anything else.

So you'll need:

* Any old computer (a 500 MHz machine with, say, 256 MB of RAM should be fine) capable of supporting a full size PCI card

There's probably a way to kluge it to work with a Dialogic T1 card, but this particular Audix install likes to transcode everything to some weird CELP codec. That, and it runs on an ancient version of circa-2003 Redhat. Between the two, I wound up shrugging it off and making my own custom IVR with it from the ground up. If that's all you want by the way, the vectoring feature on the Definity is surprisingly decent when you use it the right way. I even kluged an ANAC out of it at Toorcamp. The downside is you have really really really limited use of variables (for no particularly good reason; it would take basically no effort to add support. I think they actually did this in one of the later CM releases. My guess is it wasn't there in the first place so it didn't hurt the Conversent IVR platform's sales), so it can be kind of annoying to develop stuff for.

0

Share this post

Link to post

Share on other sites

Wow, that's even cheaper than I imagined! I'm mainly interested in using it for voicemail, I'm assuming it would do that well? Do I need any special interface cards to make this work with the definity?

Edit: I just inventoried my computers and found the perfect one. I bought that card, too.

Share this post

Link to post

Share on other sites

Wow, that's even cheaper than I imagined! I'm mainly interested in using it for voicemail, I'm assuming it would do that well?

Er, sorry. I think we got a little mixed up there. The Definity doesn't have the storage space to do voicemail on it's own, but it definitely wouldn't be out of the realm of possibility for the hardware to be capable of it with a better IVR scripting language. But yeah, aside from the codec this instance of Audix uses, it does voicemail perfectly well.

Do I need any special interface cards to make this work with the definity?

Just the C-LAN card if you want to use the control protocol that runs between the Definity and Audix. It'll still work without it, though. It's not particularly straightforward to get that working though, since there's some RPMs it wants installed, but it won't tell you which. I think I've figured out how to make it work, but my C-LAN card won't come in them mail until later today. So we'll just have to see. In the meantime, I'll see about getting this uploaded.

By the way, one thing you might want to think about doing is putting a small amount of resistance on the Audix lines, as well as any other really short ones you might have. It shouldn't be a big deal, but one thing I've noticed is the analog station cards tend to run quite hot when you have them offhook for a non-stop, say, 45 minutes or so. I guess they were designed to just have longer loops.

0

Share this post

Link to post

Share on other sites

Ok, I've had a C-LAN card in the mail for a week, it's supposed to show up tomorrow. It's not totally clear to me how a definity and AUDIX are interconnected, does it just use analog lines plus a control channel of some sort to let the AUDIX know what voicemail box to serve up? I'd assume it uses coverage paths to get to voicemail, but how does it know what mailbox is being called? I'm looking forward to getting that ISO so I can get started.

Edited August 17, 2016 by xhausted110

0

Share this post

Link to post

Share on other sites

There's a special extension type - VMI that seems to send a number of some sort when the line goes offhook. I'm guessing it's the number calling it, but I'll check tonight. Here's a configuration guide Avaya made for setting up an Audix/Definity arrangement: http://downloads.avaya.com/css/P8/documents/100013671

Though it's not documented here, you can do this with regular line classes and a hunt group if you want. Make a hunt group with the Audix lines, and add a vector with the command "converse on split [hunt group ID] priority [whatever] . The next few arguments after that should give you the option to send a number of things after any line in the hunt group goes offhook.

EDIT: Here ya go! Sorry for the sketchy file locker. It's the first I could think of that allows big files for free.

Share this post

Link to post

Share on other sites

Is it particularly picky about hardware? On a laptop and a VMware machine it installed just fine with a xwindows based installer, but on all of the desktops I've tried, (a pentium III, a pentium 4 and a core 2 duo) it boots into a text-based installer and asks me to insert the disk, like it can't read the CD, even though it accesses the drive, I have some more machines at another location that I'll have to try it on over the weekend.

EDIT: I tried it with one last machine and it installed properly.

Another edit: I installed the system, and then ran the autoinstaller on the CD. Everything installed properly and the GUI works, but the voice system won't stay up. Is that because there are no cards installed? Do I need any special configuration to get it working with the card you recommended with inband signalling?

Another thing: the guide you posted says I need a TN746B line card, a regular 746 won't work because it is 24 volt instead of 48. Is that true in this case?

Share this post

Link to post

Share on other sites

Is it particularly picky about hardware? On a laptop and a VMware machine it installed just fine with a xwindows based installer, but on all of the desktops I've tried, (a pentium III, a pentium 4 and a core 2 duo) it boots into a text-based installer and asks me to insert the disk, like it can't read the CD, even though it accesses the drive, I have some more machines at another location that I'll have to try it on over the weekend.

Not that I know of. The motherboard I installed it on didn't have onboard graphics and I didn't have a card for it, so I just installed it on a VM and copied the drive image over. You could probably do the same thing yourself if it came down to it; just make sure you get the same number of cylinders and such for the image. I would suggest enabling mgetty on a serial port so you can dial into it, though. The system comes with ethernet drivers for basically just whatever rebadged desktop they happened to bundle Audix with, so the chances of you being able to access it if it's headless are basically zero.

This would be a good time to mention to anyone else who might want to do this that it erases your hard drive without asking when you boot the CD. Sorry, I definitely should've mentioned that.

Quote

Another edit: I installed the system, and then ran the autoinstaller on the CD. Everything installed properly and the GUI works, but the voice system won't stay up. Is that because there are no cards installed? Do I need any special configuration to get it working with the card you recommended with inband signalling?

Yeah, that'd be one of the reasons. The other would be licensing; there's some executable that the system runs, parcrypf, to determine how many lines your system is licensed for. You can overwrite the license file all you want, but every time the program runs (which would be quite a lot), it'll lock it down again. The last time I dealt with this was months ago, but it shouldn't be too hard to figure out what file it's reading to determine the amount of ports it can use. As a quick and dirty fix, you can also just make a shell script that outputs a license file with whatever you want, and swap it with parcrypf.

I'll see if I can figure out what needs to be changed sometime this week.

Quote

Another thing: the guide you posted says I need a TN746B line card, a regular 746 won't work because it is 24 volt instead of 48. Is that true in this case?

That would make sense, yeah. When the system boots, it makes the Dialogic cards test for loop current. If it can't detect it, it'll force the port out of service until you manually get it to test successfully. It's definitely possible 24 volts won't satisfy the Dialogic cards. If you happen to find yourself needing more 746Bs, get the ones from the early or mid nineties. It's not a big deal, but there's a noticeable (but subtle) difference in the noise level on the cards; the newer ones have a bit of hiss on them while the old ones are dead silent. The first two digits of the serial on the front of the card should tell you when it was manufactured.

Anyway, I'll have to take a rain check on the control channel; I can tell you how to install the packages, but you're on your own from there. The C-LAN board I got off eBay turned out to be DoA. Thankfully, the problem looks relatively minor (a few resistors got shaved off the PCB), so I'm going to see if someone who is confident with surface mount soldering can make it work again. It wouldn't feel right to toss an out of production board over 30 cents worth of parts. If you wind up in the same boat, you can always just get it to send the signaling data over DTMF.

Edited August 21, 2016 by ThoughtPhreaker

0

Share this post

Link to post

Share on other sites

I ran a trace on parcrypf, and it seems to access a couple of licensing files, but they just look like gibberish to me. It doesn't seem to write anything, and when running it it outputs nothing on the console. Let me know what you ended up doing, I really want to get this working. How do I install that service pack?

0

Share this post

Link to post

Share on other sites

The service pack is pretty easy; just run it as an executable. As for parcrypf, I'm not sure exactly what I did to solve the problem, but there's a shell script I redid in the same directory called parse_feat. If nothing else, it shines a bit of light on how the feature options file works. Mods, please let me know if this first script is going to be trouble. If there's any doubts, I'll move it somewhere else.

Sorry the help I'm giving with the licensing is sort of lackluster. I wasn't really feeling very excited about trying to push my way past all of this at the time. It looks like the program edcrypt in the same directory is responsible for decrypting the licensing stuff. The script feat_chg uses it to change things you're already licensed for.

Edited August 28, 2016 by ThoughtPhreaker

0

Share this post

Link to post

Share on other sites

Well, I messed around with some of the scripts (mainly feat_chg) and got this to happen. I also replaced parse_feat with your version. This is strange to me because on the "read only" screen it shows max voice ports as 0, but on the update screen it shows the max as 24. What is stopping me here? The "maximum voice ports 0" or the "maximum messaging application N/A"? What does yours show?

0

Share this post

Link to post

Share on other sites

Well, I messed around with some of the scripts (mainly feat_chg) and got this to happen. I also replaced parse_feat with your version. This is strange to me because on the "read only" screen it shows max voice ports as 0, but on the update screen it shows the max as 24. What is stopping me here? The "maximum voice ports 0" or the "maximum messaging application N/A"? What does yours show?

Mine does the same thing, but reports the max number as four. It'll change to 24 on the update screen.I took a look at the perl script for that page, and it looks like it's using /msg/software/vs/bin/util/restrict_chans to determine how many channels you can use at that point. It looks like that's reading data from /vs/bin/util/.restrict . There's an interesting message in there:

# This shell had some antiquated code regarding MAP/40S, etc.
# We are going away from software-imposed limits on the number
# of channels. This shell will now simply return as the
# maximum the number from shared memory which indicates the
# number of channels based on the hardware installed.

And then it gets the number of channels by running /vs/bin/shmview -rchans . So where's *that* getting the number of channels from? As per the comments in the script, memory apparently. I checked stack traces and decompiler outputs of shmview and didn't see it trying to access any particularly relevant file. So I guess this is about as good of a time to ask as any: if you type /usr/dialogic/avaya/bin/dlstart, does the Dialogic application start correctly? A normal system will try to make that run on startup, so if you get an error, try stopping it first.

If it does work/is working, try executing sell_chans. I think that should update the number of channels for you.

0

Share this post

Link to post

Share on other sites

dlstart does start it successfully. sell_chans says it updated the channels, but it doesn't really. I'm out of ideas here, maybe I could take your encrypted options files and put them on my machine. It's worth a try.

Interestingly, there's a program used by sell_chans; /vs/bin/.cras that claims to attach channels so they're recognized by the system. I assume the Dialogic card has to be running for this to work, but what does '.cras card 0' give you back?

0

Share this post

Link to post

Share on other sites

Did either of those ever work for you? If you're still having trouble, I can dig in a little deeper. Especially now since it's cooling down; the Definity/Audix box/other crap sits in my closet. When the temperature starts reaching forty degrees or so it's great, but when it's almost a hundred, it's a little less pleasant to have running for hours.